Abstract
We analyze the Secure Remote Password (SRP) protocol for structural weaknesses using the Cryptographic Protocol Shapes Analyzer (CPSA) in the first formal analysis of SRP (specifically, Version 3).
SRP is a widely deployed Password Authenticated Key Exchange (PAKE) protocol used in 1Password, iCloud Keychain, and other products. As with many PAKE protocols, two participants use knowledge of a pre-shared password to authenticate each other and establish a session key. SRP aims to resist dictionary attacks, not store plaintext-equivalent passwords on the server, avoid patent infringement, and avoid export controls by not using encryption. Formal analysis of SRP is challenging in part because existing tools provide no simple way to reason about its use of the mathematical expression \(v + g^b \mod q\).
Modeling \(v + g^b\) as encryption, we complete an exhaustive study of all possible execution sequences of SRP. Ignoring possible algebraic attacks, this analysis detects no major structural weakness, and in particular no leakage of any secrets. We do uncover one notable weakness of SRP, which follows from its design constraints. It is possible for a malicious server to fake an authentication session with a client, without the client’s participation. This action might facilitate an escalation of privilege attack, if the client has higher privileges than does the server. We conceived of this attack before we used CPSA and confirmed it by generating corresponding execution shapes using CPSA.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
Wu incorrectly states the direction of his reduction, but his reduction actually proceeds in the correct direction.
References
Adrian, D., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 5–17. ACM, New York (2015). https://doi.org/10.1145/2810103.2813707
Arapinis, M., et al.: New privacy issues in mobile telephony: fix and verification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 205–216. Association for Computing Machinery, New York (2012). https://doi.org/10.1145/2382196.2382221
Bartzia, E.-I., Strub, P.-Y.: A formal library for elliptic curves in the Coq proof assistant. In: Klein, G., Gamboa, R. (eds.) ITP 2014. LNCS, vol. 8558, pp. 77–92. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08970-6_6
Basin, D., Cremers, C.: Modeling and analyzing security in the presence of compromising adversaries. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 340–356. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15497-3_21
Basin, D., Cremers, C.: Know your enemy: compromising adversaries in protocol analysis. ACM Trans. Inf. Syst. Secur. 17(2) (2014). https://doi.org/10.1145/2658996
Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: IEEE Symposium on Research in Security and Privacy, pp. 72–84, May 1992
Blake-Wilson, S., Menezes, A.: Authenticated Diffie-Hellman key agreement protocols. In: Proceedings of the Selected Areas in Cryptography, SAC 1998, pp. 339–361. Springer, Heidelberg (1999). http://dl.acm.org/citation.cfm?id=646554.694440
Blanchet, B., Smyth, B., Cheval, V.: Proverif 1.90: automatic cryptographic protocol verifier, user manual and tutorial (2015). http://prosecco.gforge.inria.fr/personal/bblanche/proverif/manual.pdf
Böhl, F., Unruh, D.: Symbolic universal composability. J. Comput. Secur. 24(1), 1–38 (2016)
Boneh, D., Shoup, V.: A graduate course in applied cryptography version 0.5, January 2020. https://crypto.stanford.edu/~dabo/cryptobook/BonehShoup_0_5.pdf
Browning, S.: Cryptol, a DSL for cryptographic algorithms. In: ACM SIGPLAN Commercial Users of Functional Programming, p. 1. ACM (2010)
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings of the 42nd IEEE Symposium on Foundations of Computer Science, FOCS 2001, p. 136. IEEE Computer Society, USA (2001)
Canetti, R., Stoughton, A., Varia, M.: EasyUC: using EasyCrypt to mechanize proofs of universally composable security. In: 2019 IEEE 32nd Computer Security Foundations Symposium (CSF), pp. 167–183 (2019)
Church, A.: An unsolvable problem of elementary number theory. Am. J. Math. 58(2), 345–363 (1936)
Corin, R., Doumen, J., Etalle, S.: Analysing password protocol security against off-line dictionary attacks. Electron. Notes Theoret. Comput. Sci. 121, 47–63 (2005)
Delaune, S., Kremer, S., Pereira, O.: Simulation based security in the applied pi calculus. In: Kannan, R., Kumar, K.N. (eds.) IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science. Leibniz International Proceedings in Informatics (LIPIcs), vol. 4, pp. 169–180. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany (2009). http://drops.dagstuhl.de/opus/volltexte/2009/2316
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theor. 22(6), 644–654 (2006). https://doi.org/10.1023/A:1008302122286
Ding, J., Alsayigh, S., Lancrenon, J., RV, S., Snook, M.: Provably secure password authenticated key exchange based on RLWE for the post-quantum world. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 183–204. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_11
Doghmi, S., Guttman, J., Thayer, F.J.: Skeletons and the shapes of bundles. In: Proceedings of the 7th International Workshop on Issues in the Theory of Security, pp. 24–25 (2006)
Doghmi, S.F., Guttman, J.D., Thayer, F.J.: Searching for shapes in cryptographic protocols. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 523–537. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-71209-1_41
Dolev, D., Yao, A.C.: On the security of public key protocols. In: Proceedings of the 22nd Annual Symposium on Foundations of Computer Science, SFCS 1981, pp. 350–357. IEEE Computer Society, Washington, DC (1981). https://doi.org/10.1109/SFCS.1981.32
Dreier, J., Duménil, C., Kremer, S., Sasse, R.: Beyond subterm-convergent equational theories in automated verification of stateful protocols. In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 117–140. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6_6. https://hal.inria.fr/hal-01430490/document
Escobar, S., Meadows, C., Meseguer, J.: A rewriting-based inference system for the NRL protocol analyzer and its meta-logical properties. Theoret. Comput. Sci. 367(1–2), 162–202 (2006)
Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: cryptographic protocol analysis modulo equational properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007-2009. LNCS, vol. 5705, pp. 1–50. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03829-7_1
Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA, Version 3.0, April 2017
Fabrega, F.J.T., Herzog, J.C., Guttman, J.D.: Strand spaces: why is a security protocol correct? In: Proceedings of the 1998 IEEE Symposium on Security and Privacy (Cat. No. 98CB36186), pp. 160–171, May 1998. https://doi.org/10.1109/SECPRI.1998.674832
Green, M.: Let’s talk about PAKE, October 2018. https://blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/
Green, M.: Should you use SRP? October 2018. https://blog.cryptographyengineering.com/should-you-use-srp/
Guttman, J.D., Liskov, M.D., Ramsdell, J.D., Rowe, P.D.: The Cryptographic Protocol Shapes Analyzer (CPSA). https://github.com/mitre/cpsa
Haase, B., Labrique, B.: AuCPace: Efficient verifier-based PAKE protocol tailored for the IIoT. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019, 1–48 (2018)
Hao, F., Shahandashti, S.F.: The SPEKE protocol revisited. In: Chen, L., Mitchell, C. (eds.) SSR 2014. LNCS, vol. 8893, pp. 26–38. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-14054-4_2
Jablon, D.P.: Strong password-only authenticated key exchange. ACM Comput. Commun. Rev. 26(5), 5–26 (1996)
Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: An asymmetric PAKE protocol secure against pre-computation attacks. Cryptology ePrint Archive, Report 2018/163 (2018). https://eprint.iacr.org/
Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 456–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_15
Lanus, E., Zieglar, E.: Analysis of a forced-latency defense against man-in-the-middle attacks. J. Inf. Warfare 16(2), 66–78 (2017). https://www.jstor.org/stable/26502758
Liskov, M.D., Ramsdell, J.D., Guttman, J.D., Rowe, P.D.: The Cryptographic Protocol Shapes Analyzer: A Manual. The MITRE Corporation (2016)
Liskov, M.D., Rowe, P.D., Thayer, F.J.: Completeness of CPSA. Technical report MTR110479, The MITRE Corporation (2011)
Lowe, G.: An attack on the Needham-Schroeder public-key authentication protocol. Inf. Process. Lett. 56(3), 131–133 (1995). http://www.sciencedirect.com/science/article/pii/0020019095001442
Maurer, U.M., Wolf, S.: The Diffie-Hellman protocol. Des. Codes Cryptography 19(2–3), 147–171 (2000). https://doi.org/10.1023/A:1008302122286
Meadows, C.: NRL protocol analyzer. J. Comput. Secur. 1(1) (1992)
Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978). https://doi.org/10.1145/359657.359659
Paulson, L.C.: Relations between secrets: two formal analyses of the Yahalom protocol. J. Comput. Secur. 9(3), 197–216 (2001)
Ramsdell, J.D., Guttman, J.D., Millen, J.K., O’Hanlon, B.: An analysis of the CAVES attestation protocol using CPSA. arXiv preprint arXiv:1207.0418 (2012)
Ryan, P.Y.A., Schneider, S.A.: An attack on a recursive authentication protocol. A cautionary tale. Inf. Process. Lett. 65(1), 7–10 (1998). https://doi.org/10.1016/S0020-0190(97)00180-4
Schmidt, B., Meier, S., Cremers, C., Basin, D.: Automated analysis of Diffie-Hellman protocols and advanced security properties. In: 2012 IEEE 25th Computer Security Foundations Symposium, pp. 78–94, June 2012
Sherman, A.T., et al.: PAL GitHub repository, June 2020. https://github.com/egolaszewski/UMBC-Protocol-Analysis-Lab
Steiner, J.G., Neuman, B.C., Schiller, J.I.: Kerberos: an authentication service for open network systems. In: Proceedings Winter USENIX Conference, pp. 191–202 (1988)
Tang, Q., Mitchell, C.J.: On the security of some password-based key agreement schemes. In: Hao, Y., et al. (eds.) CIS 2005. LNCS (LNAI), vol. 3802, pp. 149–154. Springer, Heidelberg (2005). https://doi.org/10.1007/11596981_22
Taylor, D., Wu, T., Mavrogiannopoulos, N., Perrin, T.: RFC 5054, Using the secure remote password (SRP) protocol for TLS authentication. Technical report, RFC Editor, November 2007. https://doi.org/10.17487/rfc5054
Wu, T.: RFC 2944, Telnet Authentication: SRP. Technical report, RFC Editor, September 2000. https://doi.org/10.17487/rfc2944
Wu, T.: The secure remote password protocol. In: Proceedings of the Internet Society on Network and Distributed System Security (1998)
Wu, T.: The SRP Authentication and Key Exchange System, RFC 2945, September 2000
Wu, T.: SRP-6: Improvements and Refinements to the Secure Remote Password Protocol, October 2002
Zhang, M.: Analysis of the SPEKE password-authenticated key exchange protocol. IEEE Commun. Lett. 8(1), 63–65 (2004). https://doi.org/10.1109/LCOMM.2003.822506
Acknowledgments
We appreciate the helpful comments from Akshita Gorti and the reviewers. Thanks also to John Ramsdell (MITRE) and other participants at the Protocol eXchange for fruitful interactions. This research was supported in part by the U.S. Department of Defense under CySP Capacity grants H98230-17-1-0387, H98230-18-1-0321, and H98230-19-1-0308. Sherman, Golaszewski, Wnuk-Fink, Bonyadi, and the UMBC Cyber Defense Lab were supported also in part by the National Science Foundation under SFS grants DGE-1241576, 1753681, and 1819521.
To appear in Festschrift in Honour of Professor Andre Scedrov, Vivek Nigam, Editor, LNCS, Springer (June 11, 2020).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A CPSA Sourcecode
A CPSA Sourcecode
We list critical snippets of CPSA sourcecode that we used to model SRP-3 and carry out our analysis. A complete electronic version is available from our public GitHub repository [46].
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Sherman, A.T. et al. (2020). Formal Methods Analysis of the Secure Remote Password Protocol. In: Nigam, V., et al. Logic, Language, and Security. Lecture Notes in Computer Science(), vol 12300. Springer, Cham. https://doi.org/10.1007/978-3-030-62077-6_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-62077-6_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-62076-9
Online ISBN: 978-3-030-62077-6
eBook Packages: Computer ScienceComputer Science (R0)